What are the differences between Microsoft’s commercial, GCC, GCC High, and DoD clouds?
Microsoft recently published an article contrasting their commercial, GCC, GCC High, and DoD clouds for Azure and MS365. Specifically, the article addressed whether each of the various environments was suitable for information/data that is subject to different requirements, including DFARS 252.204-7012 (i.e., CUI) and CMMC Maturity Level 3. Their chart is reproduced below.
A few interesting notes from the chart:
- while CMMC Maturity Level 3 is explicitly addressed, CMMC Maturity Level 1 is not;
- Microsoft has refined their description of CUI to clarify that CUI Basic information is different from CUI Specified information (i.e., information for which a law, regulation, or government-wide policy specifies certain handling requirements, such as information subject to ITAR/EAR export controls) and that CUI Basic may not need the same level of protection as CUI Specified.